Security Leaders Call on C-Suite to Up Their Game

Why Trust Techopedia

Security leaders and boards are facing a critical moment in the cybersecurity landscape where stricter regulations and a threat landscape that changes by the minute can lead to financial, reputational, and even national security risks.

While collaboration is the only effective path forward, historically, boards and security leaders have often been locked in a power struggle.

Can the C-suite and security leaders see eye to eye? Techopedia asks industry experts for help.

Key Takeaways

  • Security leaders say many boards lack a fundamental understanding of cybersecurity, hindering their ability to properly assess risks and hold leadership accountable.
  • However, leaders struggle to communicate effectively with boards, often resorting to data and presentations instead of impactful storytelling.
  • Board priorities which are focused on short-term gains often clash with the long-term investments needed for robust cybersecurity.
  • Boards need to adapt by including cybersecurity experts, improving communication, and prioritizing investments in this critical area.

Unraveling Contradictions in Executive Boards Today

Surveys and studies reveal the ongoing tug-of-war between boards and security teams. A recent Fortinet report found that 97% of security leaders say their board sees cybersecurity as a business priority.

However, other studies reveal a disconnect. Research from Trend Micro shows the majority of CISOs and security leaders, almost 4 in 5, report pressure from corporate boards to downplay cyber risks.

In the midst of these often contradictory reports, Techopedia set out to discover and learn from top cybersecurity leaders what is truly happening inside boardrooms when they talk security.

Advertisements

Michael Marcotte, founder of the U.S. National Cybersecurity Center (NCC) and current founder of artius.iD — an enterprise-grade cybersecurity and digital identity firm that works with some of the world’s biggest corporations, spoke to Techopedia about the issue.

“The biggest shortcoming is a lack of fundamental understanding and subject matter expertise in cybersecurity. It’s by no means the only shortcoming, but it’s near-universal.”

“The problem is that if you don’t know about the topic, you don’t know what questions to ask. And if you don’t know what to ask, you invariably get the wrong answer.”

Marcotte explained that there are numerous well-meaning board members who are rightly concerned about cybersecurity, but don’t know where to start. “They don’t know where to direct their concern and support of the CEO,” Marcotte said.

“That’s precisely why every board, of every company, needs a cybersecurity expert with deep subject matter expertise.”

The SEC Rule: A Close ‘Swing and Miss’

Eric O’Neill, a legendary FBI operative — known for bringing down the nation’s first cyberspy: Robert Hanssen, a 25-year veteran of the FBI and a notorious Russian mole — is the founder of The Georgetown Group and Nexasure AI, a company that provides cybersecurity advisory services to companies and boards.

Speaking to Techopedia about the shortcomings that exist today in boards, O’Neill referred to the 2023 SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule.

“In 2023, the SEC proposed a rule for public companies that would require them to disclose board-level cybersecurity expertise, but the final rule removed this requirement.

“Instead, the SEC final rule requires public companies to describe board oversight of risks from cyber threats and the level of management’s expertise in assessing and managing risks from cybersecurity threats.”

O’Neill advocated for the original rule and added that boards lack an understanding of cybersecurity risk and the incredible financial and reputational damage that occurs in the aftermath of a cyberattack.

“Boards must therefore rely on management to assess and inform them of the risk, which prevents a board from independently assessing whether their company has adequately managed cybersecurity risk. The most informed boards seek outside consultant help to advise them of the risk and learn best cybersecurity practices.”

When Priorities and Business Goals Disenfranchise Security

It is evident that board members and security teams speak different languages and have different priorities and goals despite working under the same roof. The Trend Micro report found that approximately 34% of security leaders said their boards perceive them as “repetitive” or “naggers”.

To counter this disconnect, security teams have begun investing in communication skills, turning to data storytelling, and trying to convince board members with PowerPoint presentations to get buy-in and secure infrastructures.

But should board members step up their game as well and meet CISOs halfway? Marcotte from artius.iD said:

“Because too many boards don’t take cybersecurity seriously enough, they’re not fighting as hard as they should be to secure that talent.”

Marcotte recognized some advancements and said that boards are increasingly giving cybersecurity issues the right weight of concern when it comes to hiring skilled security experts.

Getting Board Buy-In: An Expert’s Low-down

O’Neill, the former FBI operative from Nexasure AI, spoke to Techopedia about the most effective communication concepts when engaging with boards.

“Storytelling is how I seek to convince boards and where I have found the most success.

“To get the buy-in IT professionals desperately need, a board must be (1) informed of the state and risk of cyber attacks, (2) divorced of the “it can’t happen to me” mentality, and (3) educated about the cost-risk-reward in cybersecurity investment.”

O’Neill explained that walking board members through a real cyber attack as it unfolds, opening their eyes to the incredible disruption, long days of night and work, eventual disclosures, reputation fallout, and extra demand on all of the board member’s time usually does the trick.

“I’ve found that PowerPoint charts with statistics and angry red lines showing the cost of a cyber attack are inferior to walking the board through [an attack].

“For public companies, it also helps to explain to board members that new SEC rules place the Board partially on the hook for the failure of the company to assess the risk and plan for potential cyberattacks.”

While O’Neill said that the “SEC swung and missed in their final rule”, he still thinks every board of every company should either recruit a director with cybersecurity education. Another option? To invest in cybersecurity advisory services, O’Neill said and warned boards of their responsibilities.

“A core mandate of a board of directors is to provide oversight of the company and the executive team. Without a basic understanding of the cybersecurity landscape and pressing need for security, a board cannot fulfill its duty.”

Boards Fail to Adapt to Modern Times – Stuck In ‘Old Business Mentality’

The functions, responsibilities, and inner workings of boards have changed dramatically in the past decade. Still, despite globalization and digitalization, countless boards have failed to keep up with the shifts of new ways of doing business.

Marcotte from artius.iD told Techopedia that “most boards are packed with finance experts, investors, legal experts, business development, and the like”.

While Marcotte recognized that these areas of expertise are highly useful on the board for specific aspects and functions of the business, the security and technology function needs equal representation – “which it doesn’t have at the moment”.

“It’s like front-loading a soccer pitch with strikers and mid-fielders and forgetting the defenders  — the players who are experts in preventing incoming attacks.

“Any company that doesn’t think long-term is destined to fail. Short-term-minded companies don’t invest enough in cybersecurity. It’s as simple as that. They’re too focused on the raw figures for the next quarter.”

O’Neill from Nexasure AI said “Budget is the enemy of cybersecurity‘.

“Unfortunately, when budget cuts are required, security (both physical and cyber) are often some of the first depleted cost centers for many companies,” O’Neill said.

“When budget renewals come around, frustrated IT professionals and CISOs often hear that there is no funding for cybersecurity investments.

“This is a lot like cutting fire insurance from the family budget or not renewing the policy as a wildfire ragers a mile down the road.”

As Itay Glick, VP of Products at OPSWAT, a global critical infrastructure protection cybersecurity provider, told Techopedia, boards are typically ROI-incentivized.

“It is complicated to provide ROI for most cybersecurity initiatives, which makes the board’s decision-making process challenging.”

“Security leaders win board support by translating complex threats into clear business impacts. This means showing risk in money vs expenditure, giving detailed info on why it is important, and presenting what the ‘market; is doing in the same area.”

Advertisements

Related Reading

Related Terms

Advertisements
Ray Fernandez
Senior Technology Journalist
Ray Fernandez
Senior Technology Journalist

Ray is an independent journalist with 15 years of experience, focusing on the intersection of technology with various aspects of life and society. He joined Techopedia in 2023 after publishing in numerous media, including Microsoft, TechRepublic, Moonlock, Hackermoon, VentureBeat, Entrepreneur, and ServerWatch. He holds a degree in Journalism from Oxford Distance Learning, and two specializations from FUNIBER in Environmental Science and Oceanography. When Ray is not working, you can find him making music, playing sports, and traveling with his wife and three kids.